Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror

Comment Attribution is needed in source only, not license (Score 3, Informative) 303

This doesn't sound onerous to me at all. It doesn't require anything in public documentation, help pages, or otherwise like the MIT license. It simply requires a single URL in a code comment.

This sounds perfectly fine to me--in general, I and my team already does this because it's helpful to know WHY we chose a course of action, especially when it was complicated enough to require SO's help.

http://meta.stackexchange.com/...

What is reasonable attribution?

A URL as a comment in your code is reasonable attribution.

There are certainly other forms of reasonable attribution, depending on use, and you are welcome to go above and beyond what’s required and include username, date, and anything else if you like.

You are also welcome to use the MIT License as it is traditionally interpreted: by preserving the full license with relevant fields (copyright year and copyright holder) completed.

Comment What about SHA2 support in FireFox for DHE? (Score 2) 115

https://bugzilla.mozilla.org/s...

Firefox only currently supports DHE with SHA1. Are they going add support for SHA256 DHE when they disable SHA1?

To quote Michael Staruch from the above link: It looked more like attempts to discredit DHE and push everyone into ECC. And I am not so sure if that's best way to protect our privacy, especially with multiple TLS clients supporting only NSA Suite B curves.


Mozilla, we really need DHE to work with SHA256 and GCM. Sure, fallback to something else (with a second connection, if necessary) if weak dhparams are used by the server.

Comment What about SHA2 support for DHE? (Score 1) 47

https://bugzilla.mozilla.org/s...

Firefox only currently supports DHE with SHA1. Are they going add support for SHA256 DHE when they disable SHA1?

To quote Michael Staruch from the above link:
It looked more like attempts to discredit DHE and push everyone into ECC. And I am not so sure if that's best way to protect our privacy, especially with multiple TLS clients supporting only NSA Suite B curves.

Mozilla, we really need DHE to work with SHA256 and GCM. Sure, fallback to something else (with a second connection, if necessary) if weak dhparams are used by the server.

Comment Re:Logjam (Score 1) 217

ECDH is possibly backdoored by the NSA. From what we know, DH is mathematically sound, provided you generate your own, large enough (2048b or larger) prime.

ECDH in TLS only uses curves proposed by NIST. Some cryptographers believe that constants used to pre-compute the curves are in fact backdoored, which would explain how they decrypt most of the traffic. Curve 25519 and a few others are very likely safe, but not available in TLS1.2. ALL available ECDH curves in TLS were proposed by NIST.

I believe that between precomputed ECDH curves and Logjam, the NSA is able to decrypt nearly https traffic.

https://www.schneier.com/blog/...
"I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry." - Bruce Schneier on ECDHE curves in TLS

I trust Bruce.

Ideally, the standards body would introduce curve 25519 to TLS1.2. Until then, server operators need to take this advice, configure their servers to prefer DHE (not EC) with 2k+ keys, and turn off older ciphers including EC*.

Oh, and get firefox to fix this bug: https://bugzilla.mozilla.org/s...

Comment Re:Unauthorized teardown (Score 5, Informative) 366

Yep. If you buy an object, you have every right to take it apart.

While I agree with the above statement (and some of your others), they didn't buy the devices. It was a developer preview provided to them under NDA. I think iFixit is clearly in the wrong here.

From the article:
The developer unit we disassembled was sent to us by Apple. Evidently, they didn’t intend for us to take it apart. But we’re a teardown and repair company; teardowns are in our DNA—and nothing makes us happier than figuring out what makes these gadgets tick. We weighed the risks, blithely tossed those risks over our shoulder, and tore down the Apple TV anyway.

Comment Re:You keep using that word. I don't think it mean (Score 1) 346

Yes, it was a real quote:
http://newsroom.t-mobile.com/i...
"I won't let a few thieves ruin things for anyone else."

And rightfully so. These people were NEVER SOLD unlimited tethering data. They WERE sold unlimited data for their phones, but not for tethering. They're bypassing tethering limits to get more data for themselves, which reduces the network for everyone else. It's not even victimless.

Here’s what’s happening: when customers buy our unlimited 4G LTE plan for their smartphones we include a fixed amount of LTE to be used for tethering (using the “Smartphone Mobile HotSpot” feature), at no extra cost, for the occasions when broadband may not be convenient or available. If customers hit that high-speed tethering limit, those tethering speeds slow down. If a customer needs more LTE tethering, they can add-on more. Simple.

However, these violators are going out of their way with all kinds of workarounds to steal more LTE tethered data.


Like I said in an earlier post: Since the customer was never sold unlimited tethered data, I don't see what the problem is? It's like going to an all you can eat restaurant and complaining that you can't take your leftovers home.

Comment Re:You keep using that word. I don't think it mean (Score 5, Informative) 346

You realize that these are people are sold unlimited data for their phone itself, with metered tethering. The complaint is that they're bypassing the tethering limit, not that they're using unlimited data for the phone itself. Nowhere did T-Mobile ever sell them unlimited tethered data.

From the open letter itself:
http://newsroom.t-mobile.com/i...

Here’s what’s happening: when customers buy our unlimited 4G LTE plan for their smartphones we include a fixed amount of LTE to be used for tethering (using the “Smartphone Mobile HotSpot” feature), at no extra cost, for the occasions when broadband may not be convenient or available. If customers hit that high-speed tethering limit, those tethering speeds slow down. If a customer needs more LTE tethering, they can add-on more. Simple.

However, these violators are going out of their way with all kinds of workarounds to steal more LTE tethered data.


Since the customer was never sold unlimited tethered data, I don't see what the problem is? It's like going to an all you can eat restaurant and complaining that you can't take your leftovers home.

Comment Re:OSX in 2013. (Score 2) 231

MSG:

Thanks for the additional information. None of this is readily available in the first links for Ubuntu, zswap, or Linux, and the items I quoted are either current documentation or statements from 6 months ago--so I expected them to be accurate. In addition, the current kernel documentation of zswap STILL lists it as experimental:
https://www.kernel.org/doc/Doc...

That said, given this info, many of my earlier points were incorrect. I just enabled it on for my downstairs desktop. It's still not enabled by default on either Ubuntu or Redhat, but at least it's a reasonable effort to turn on--no kernel recompilation, etc.

Comment Re:OSX in 2013. (Score 4, Insightful) 231

Awesome! I didn't even know this was in Linux. This would be really useful on my desktop downstairs!

...proceeds to Google "zswap linux ubuntu"
http://askubuntu.com/questions/361320/how-can-i-enable-zswap

Oh, so it's not enabled by default in my distro?

According to the kernel documentation, zswap can be enabled by setting zswap.enabled=1 at boot time. Zswap is is still an experimental technology

Oh, great, it's experimental.

It has been enabled and disabled at various times throughout release cycles. – Ken Sharp

Wonderful! If I turn it on, it may suddenly turn itself off when I get a kernel update for 14.04.

You know, I often hear "Linux already has that", but it doesn't work right, isn't enabled by default on basically all distros, or isn't configured such that 99% of Linux users aren't using it. Saying you have something when it's experimental, not enabled by default, enables and disables with updates, and not easily available to the vast majority of your users is silly.

Slashdot Top Deals

On a paper submitted by a physicist colleague: "This isn't right. This isn't even wrong." -- Wolfgang Pauli

Working...